1391374 – User can't see the subscription they just added in an activation key

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1391374 - User can't see the subscription they just added in an activation key

Summary: User can't see the subscription they just added in an activation key

Keywords:
Status:	CLOSED DUPLICATE of bug 1333219
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Users & Roles
Sub Component:
Version:	6.2.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Brad Buckingham
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-03 08:12 UTC by Neil Miao
Modified:	2016-11-07 20:39 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-07 20:39:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Neil Miao 2016-11-03 08:12:55 UTC

Description of problem:

A non-admin user reported that when the edit activation key and add a subscription, the subscription they added cannot be seem in "List/Remove" tab. In fact, they can't see any subscriptions in there.


Version-Release number of selected component (if applicable):
tfm-rubygem-katello-3.0.0.81-1.el7sat.noarch


How reproducible:
always


Steps to Reproduce:
1. assuming the satellite already has a org and a few locations, sub manifest is imported
2. create a role 'test' with the following permissions:
- all permissions under organization
- all permissions under content views
- all permissions under LC environments
- all permissions under activation keys
3. create a user 'jdoe', attach only the 'test' role
4. login as jdoe
5. create an activation key
6. add a few subscriptions to the activation key
7. go back to the 'List/Remove' tab
8. verify if any added subscriptions can be seen there

Actual results:
The tab says 'You currently don't have any Subscriptions associated with this Activation Key, you can add Subscriptions after selecting the 'Add' tab.'

Expected results:
A list of added subscriptions


Additional info:

Comment 1 Neil Miao 2016-11-03 08:31:53 UTC

The issue is caused by one missing permission.

The scoped_search returned an #<ActiveRecord::Relation []>, which is why the subscription list is empty.
The empty object comes from Pool.readable, which is defined in authorization/pool.rb. 


(/opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.0.0.81/app/controllers/katello/api/v2/subscriptions_controller.rb)

-- snip --
    api :GET, "/organizations/:organization_id/subscriptions", N_("List organization subscriptions")
    api :GET, "/activation_keys/:activation_key_id/subscriptions", N_("List an activation key's subscriptions")
    api :GET, "/subscriptions"
    param_group :search, Api::V2::ApiController
    param :organization_id, :number, :desc => N_("Organization ID"), :required => true
    param :host_id, String, :desc => N_("id of a host"), :required => false
    param :activation_key_id, String, :desc => N_("Activation key ID"), :required => false
    param :available_for, String, :desc => N_("Object to show subscriptions available for, either 'host' or 'activation_key'"), :required => false
    param :match_host, :bool, :desc => N_("Ignore subscriptions that are unavailable to the specified host")
    param :match_installed, :bool, :desc => N_("Return subscriptions that match installed products of the specified host")
    param :no_overlap, :bool, :desc => N_("Return subscriptions which do not overlap with a currently-attached subscription")
    def index
      *collection = scoped_search(
        index_relation.uniq, :cp_id, :asc, resource_class: Pool, includes: [:subscription])*

      if params[:activation_key_id]
        key_pools = @activation_key.get_key_pools
        collection[:results] = collection[:results].map do |pool|
          ActivationKeySubscriptionsPresenter.new(pool, key_pools)
        end
      end
      respond(:collection => collection)
    end

    def index_relation
      return for_host if params[:host_id]
      return available_for_activation_key if params[:available_for] == "activation_key"
      *collection = Pool.readable*
      collection = collection.where(:unmapped_guest => false)
      collection = collection.get_for_organization(Organization.find(params[:organization_id])) if params[:organization_id]
      collection = collection.for_activation_key(@activation_key) if params[:activation_key_id]
      collection
    end


-- snip --

Apparently, only the user with the permission :view_subscription (NOT :view_subcriptions) from resource type 'Katello::Subscription' is allowed to read pools. 

(/opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.0.0.81/app/models/katello/authorization/pool.rb)

-- snip --
    module ClassMethods
      def readable
        where(:subscription_id => Katello::Subscription.authorized(:view_subscription))
      end
    end
-- snip --

Problem is there is no such permissions in permissions table.

foreman=# select * from permissions where name like '%view_subscription%';
 id  |        name        |     resource_type     |         created_at         |         updated_at
-----+--------------------+-----------------------+----------------------------+----------------------------
 172 | view_subscriptions | Organization          | 2015-08-28 09:34:19.93697  | 2015-08-28 09:34:19.93697
 (1 rows)

 (note: view_subscriptions != view_subscription)

 User is able to see the subscriptions when the missing permission is added.

 foreman=# insert into permissions (name,resource_type,created_at,updated_at) values ('view_subscription','Katello::Subscription',current_timestamp,current_timestamp);
 INSERT 0 1

 foreman=# select * from permissions where name like '%view_subscription%';
 id  |        name        |     resource_type     |         created_at         |         updated_at
-----+--------------------+-----------------------+----------------------------+----------------------------
 172 | view_subscriptions | Organization          | 2015-08-28 09:34:19.93697  | 2015-08-28 09:34:19.93697
 270 | view_subscription  | Katello::Subscription | 2016-11-03 03:53:40.421009 | 2016-11-03 03:53:40.421009
(2 rows)

Comment 6 Brad Buckingham 2016-11-07 20:39:34 UTC

This bugzilla is a duplicate of bug 1333219 and has a fix upstream.  I am going to close this bugzilla, but will bump up the priority of the other in hopes that it can get incorporated in to an upcoming 6.2.z.

*** This bug has been marked as a duplicate of bug 1333219 ***

Note You need to log in before you can comment on or make changes to this bug.